From: Florent D. <fde...@gm...> - 2013-03-29 08:05:26
|
Hello Ondrej, Thanks very much for taking the time to explain this to me. I guessed it was an ACL problems, I even tried to modify the profile file but in the wrong section. And as you precised, the ACL are applied when a file is created on token. I thought they would be applied during the PKCS15 initialization once and for all. It seems I was wrong! However, opensc-explorer doesn't give me much information about the ACL. Or do I need to "decrypt" the security attributes? florent@ubuntu12-10:~# opensc-explorer > OpenSC Explorer version 0.13.0rc1 > Using reader with a card: Feitian ePass2003 00 00 > OpenSC [3F00]> cd 5015 > OpenSC [3F00/5015]> info 3400 > > Elementary File ID 3400 > > File path: 3F00/5015/3400 > File size: 64 bytes > EF structure: Transparent > ACL for READ: N/A > ACL for UPDATE: N/A > ACL for DELETE: N/A > ACL for WRITE: N/A > ACL for REHABILITATE: N/A > ACL for INVALIDATE: N/A > ACL for LIST FILES: N/A > ACL for CRYPTO: N/A > Security attributes: 96 96 FF 9F FF FF FF FF > So I guess it is possible to modify the ACL, right ? By the way how do I read the ACL? Does the first one takes precedence over the others? i.e. the "NEVER" directive is for READ and UPDATE action, no? > *=NEVER,READ=$PIN,UPDATE=$PIN; > But if I can't read it I will never be able to use my object, right? Would it be possible to use the following ACL, then? ACL = READ=$PIN,UPDATE=NEVER; > What would be the collateral consequences of that? I mean, will other objects be affected by this change? Again, thanks, Cheers 2013/3/28 Ondrej Mikle <ond...@ni...> > On 03/28/2013 09:19 AM, Florent Deybach wrote: > > *As you can see, the object is present :* > > ** > > * > > > > *root@ubuntu12-10:~# pkcs15-tool --dump* > > > > *Using reader with a card: Feitian ePass2003 00 00* > > > > *[...]* > > *Data object 'cleTruecrypt'* > > *applicationName: cleTruecrypt* > > *Path: 3f0050153400* > > *Auth ID: 01* > > My guess would be that the default ACLs prevent deleting the file. If you > look > at /usr/share/opensc/epass2003.profile, there is the following part > describing > ACLs for 3f00/5015/34xx files: > > # data objects are stored in transparent EFs. > EF privdata { > file-id = 3400; > structure = transparent; > ACL = > *=NEVER,READ=$PIN,UPDATE=$PIN; > } > > That means the ACL for delete is NEVER, i.e. even PIN authorization won't > suffice for deletion of this file. It would be consistent with the log you > posted - the authenticate APDU instruction goes through OK, but erasing in > the > last APDU fails with SW 0x69 0x82 "security status not satisfied". > > AFAIK you won't be able to delete the file without erasing the card > (pkcs15-init > -E) or erasing the parent DF 5015. > > Note that the ACLs from the profile are applied at the moment a file is > created > on token (like key or data object). > > Ondrej > > > ------------------------------------------------------------------------------ > Own the Future-Intel® Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. > Compete for recognition, cash, and the chance to get your game > on Steam. $5K grand prize plus 10 genre and skill prizes. > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |